Nexus team has issued a statement on their website that a grey-hat hacker was able to obtain whopping 2000 private keys from Nexus QT windows users. More than 1M NXS were taken out and a lot of users noticed it as said in this reddit post.
Balance moved to unknown address during staking – “I was staking from my wallet and I just noticed that my entire balance was moved in block 2550568 to an unknown address”
This happened on 1st of April to those users who downloaded the official Windows wallet of Nexus from their github on 18th of January 2019. Exchanges were quick to suspend the wallets in the meantime.
On April 4th, the team says 0.5M has already been returned back.
So how did the hacker managed to get hold of private keys? Hacker created modified version of their Nexus QT wallet. MD5 hash of the affected binary is 035790907175533296cc453990bf1c7e. The correct MD5 hash is f4f4c29a2340d132094ed33dd3cbca70.
To find out the hash, fire up command prompt and type in this.
CertUtil -hashfile nexus-qt.exe MD5
How to recover your funds:
- Go to your transactions page, and find your latest trust transaction (if you were effected you might see a large stake transaction, use the address before it that was your trust key.)
- Make sure to double check that your address you sign for was included in the coinstake transaction. It will look like this: https://nexplorer.io/addresses/2S2sz1sxshG3w26bJXjHgHYws3xhANqBKu6EvmPaMWRL1wmw5HL
- When you find the address, right click the transaction and click “Copy”
- Go to File -> Sign Message
- You will then get a dialogue box with a few fields, the first field is the address field, which you will want to paste in the address you just copied
- From there, you will see the message body, in which you will want to type your slack name (case sensitive)
- Once this is done, click the Sign Message button, and you will see a big data dump appear in the lower body. It will look something like this: IQA/r5KkI0Jh1xmy5PF1JM6wtFrAaGHM4m7aLajj9Ekhu/m2V8gmMXq32hA16es3X0RQbnue2wLfSnUwIUC/7q6KSHgoLJ4r6wOc3FqZ7xdqVlaicB23MukmXvKhHcDPxnBFVQsyk2sw9w+k2ecoLsBtxrkH9t7VBGfcXmmfAfe1KGa9gSyqmJNvn/TLbb7eHQ==
- Copy this into the #fund-recovery channel in Slack, along with the old address from which you lost the funds (ex. 2QhmC4xosD16g4Q26BdN3aqKUX56JVwJ6yswREg3LC9nT4buScX and a new address to return funds to. This address should be created with a fresh wallet to ensure your wallet has no compromised keys.
- We will then take this signature and verify you were in fact the owner of the balance in question and direct message you the txid of your returned funds once confirmed.
Again, we at cryptocoindaddy, do not want to create panic. Also, if you use Linux or Mac, you were not affected as only windows systems were targeted.